[dns-operations] PMTUD of .org servers
Mark Andrews
marka at isc.org
Sat Jun 20 23:44:55 UTC 2009
In message <87skhv6kmy.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
> * Paul Vixie:
>
> >> From: Florian Weimer <fw at deneb.enyo.de>
> >> Date: Sat, 20 Jun 2009 16:00:01 +0200
> >>
> >> I know it's very difficult to build static packet filter rules which
> >> handle fragmented traffic properly. (Stateful packet filters which are
> >> part of proprietary network devices are usually not fast enough to cope
> >> with heavy DNS or HTTP traffic.) I can't really fault anyone who tries
> >> to make shortcuts.
> >
> > then they ought to pass all udp fragments to/from their dns servers,
> > statelessly.
>
> Yes, except that it sometimes doubles or triples the rule count
> (there's the issue of small fragment offsets to worry about).
I don't what crazy syntax your firewall uses but this is all that you
really need.
add pass ip from any to any frag
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list